Systems and methods for state-less authentication

US 7,657,531 B2
Filed: 01/05/2006
Issued: 02/02/2010
Est. Priority Date: 04/19/2001
Status: Expired due to Term

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method of enabling access to a resource of a distributed application server or processing system by a user/client application possessing a valid security-context, comprising the steps of:

receiving the security-context and an appended protected security-context renewal request provided by the user to an access authorization component of the application server or processing system;

verifying the validity of the security-context and the security-context renewal request;

extracting content of both the security-context and the security-context renewal request;

comparing current time to an expiration time identifying time of expiration of the security-context;

if the expiration time is less than the current time, comparing the security-context renewal request with stored identity and authorization information comprising at least one of a user identifier, an organization identifier, a sub-organization identifier, a key, an authentication certificate, an user location, a user role, and an user position identifying the user to the access authorization component and generating a new symmetric key, and other access and authorization information;

generating an updated security-context based on the verifying of the user'"'"'s identity and authorization and based on the user having requested authority for access to the resource and services;

providing the updated security context to the user; and

sending the updated security-context and a request for access to the resource and services by the user to the application server or processing system.

View all claims

8 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

Systems and methods for providing user logon and state-less authentication are described in a distributed processing environment. Upon an attempted access by a user to an online resource, transaction, or record, a logon component asks the user to supply a logon ID and a password. The logon component verifies the provided information, and upon successful identification, a security context is constructed from information relevant to the user. The security context is sent to the user and is presented to the system each time the user attempts to invoke a new resource, such as a program object, transaction, record, or certified printer avoiding the need for repeated logon processing.

102 Citations

View as Search Results

13 Claims

1. A method of enabling access to a resource of a distributed application server or processing system by a user/client application possessing a valid security-context, comprising the steps of:
- receiving the security-context and an appended protected security-context renewal request provided by the user to an access authorization component of the application server or processing system;
  
  verifying the validity of the security-context and the security-context renewal request;
  
  extracting content of both the security-context and the security-context renewal request;
  
  comparing current time to an expiration time identifying time of expiration of the security-context;
  
  if the expiration time is less than the current time, comparing the security-context renewal request with stored identity and authorization information comprising at least one of a user identifier, an organization identifier, a sub-organization identifier, a key, an authentication certificate, an user location, a user role, and an user position identifying the user to the access authorization component and generating a new symmetric key, and other access and authorization information;
  
  generating an updated security-context based on the verifying of the user'"'"'s identity and authorization and based on the user having requested authority for access to the resource and services;
  
  providing the updated security context to the user; and
  
  sending the updated security-context and a request for access to the resource and services by the user to the application server or processing system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein a resource identified in the security-context renewal request is at least one of a processor, a program object, and a record of the distributed application server or processing system, and wherein components of the distributed application server or processing system are accessible by an user presenting a valid security-context that contains the required information for authentication.
  - 3. The method of claim 1, wherein the access authorization component provides a symmetric encryption key to the user in a security-context that is used to protect each asynchronous request and resulting response exchanged between the user and the distributed application server or processing system.
  - 4. The method of claim 1, wherein the protected security-context eliminates the need to establish a secure communication session between a user desiring access and the computing resource servicing the request by providing information used in authenticating and processing the security-context and the request, and wherein the request is to renew or change the security-context made to the access authorization component or to access services or resources made to a stateless system component of the distributed processing system.
  - 5. The method of claim 4, wherein the stateless resource receiving the request for access or service verifies the user'"'"'s identity information and authorization information included in the accompanying security-context, verification including checking for agreement with the stored authorization information.
  - 6. The method of claim 5, further comprising the step of:
    - determining, by a stateless component of the processing system, based on the security-context sent with the request for access by the user, whether access to the requested resource and services should be granted to the user and fulfilling the request if authorized.
  - 7. The method of claim 6, wherein the request for access is at least partially encrypted with the symmetric key extracted from the security-context, whereby the receiving resource is allowed to access this same symmetric key to decrypt the request and later to at least partially encrypt the response when required.
  - 8. The method of claim 6, wherein a hash value is computed over the request for access, the hash value being included with the security-context and the request for access sent by the user to the distributed application server or processing system, and wherein integrity of the request for access is verified based on the hash value and access is granted only if the integrity of the hash value is verified.
  - 9. The method of claim 8, wherein the user digitally signs the request for access, the user'"'"'s public key is being included with the security-context and the request for access sent by the user to the distributed application server or processing system, and wherein the user'"'"'s digital signature is verified by the application server or processing system using the user'"'"'s public-key extracted from the security-context, access to the resource being granted only if the user'"'"'s digital signature is authenticated.
  - 10. The method of claim 9, wherein the security-context and request for access and services are included in a wrapper in which together with the digitally signed request enables detection of any unauthorized modification.
  - 11. The method of claim 6, further comprising the step of:
    - after access to the requested resource or service is granted, sending a response to the user that includes a request counter that enables the user to match the responses to the request for access due to more than one distributed resource being able to fulfill the request.
  - 12. The method of claim 1, wherein at least one of a client time and a request counter is sent by the user to the distributed application server or processing system with the security-context and the request for access to the resource to enable the server or system to discard any unauthorized replay of requests that would reduce resource availability.
  - 13. The method of claim 12, wherein the request counter is sent by the user and access to the resource is denied if the request counter differs from a predetermined value set by a security policy that limits overuse of the security-context.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Alto Dynamics, LLC (IP Investments Group LLC)
Original Assignee
Teigel Processing AB LLC (Intellectual Ventures LLC)
Inventors
Bisbee, Stephen F., Twaddell, Gordon W., Peterson, Ellis K., Becker, Keith F., Moskowitz, Jack J.
Primary Examiner(s)
Fleurantin; Jean B

Application Number

US11/325,463
Publication Number

US 20060117015A1
Time in Patent Office

1,489 Days
Field of Search

707 1- 10, 707100-1041, 707200-206, 709/229, 709223-225, 715/743, 726 2- 4
US Class Current

726/4
CPC Class Codes

F23H 17/12   Fire-bars

G06F 16/00   Information retrieval; Data...

G06F 21/33   using certificates

G06F 21/41   where a single sign-on prov...

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0435   wherein the sending and rec...

H04L 63/083   using passwords cryptograph...

H04L 63/123   received data contents, e.g...

H04L 9/3226   using a predetermined code,...

Y10S 707/99931   Database or file accessing

Y10S 707/99936   Pattern matching access

Systems and methods for state-less authentication

First Claim

8 Assignments

Litigations

0 Petitions

Accused Products

Abstract

102 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for state-less authentication

First Claim

8 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

102 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links